Are You Ready for Canada’s Digital Privacy Act?

Jan 15, 2018

Some big changes are coming to Canada’s private-sector data privacy law, otherwise known as the Personal Information Protection and Electronic Documents Act, or just PIPEDA for short. Back in September, the Feds released a draft of The Digital Privacy Act, an amendment to PIPEDA that will establish mandatory data breach reporting requirements for private companies.

Since 2016, cyberattacks have increased—160% year over year, to be exact—and it doesn’t look like they’ll be letting up anytime soon. Invasive technologies continue to advance at an unprecedented rate, and more people are using cloud-based platforms.

The Year of the Hack

It’s easy to see why people have called 2017 the year of the hack. Three big data breaches made Canadian headlines last year.

Equifax topped the list of cybersecurity no-shows with their massive hack in September, exposing the personal information of nearly 150 million people. For now, that’s the biggest corporate data breach of all time.

Sadly, Equifax wasn’t alone.

In November, it was discovered that Uber had concealed a cyberattack that’d affected nearly one-million Canadians. Our own government has fallen victim to cyberattacks as well. Public Services was hacked over the summer in one of the largest security breaches to affect a federal government department. FYI, from April 1, 2015 to March 31, 2016, our government departments have collectively experienced298 data breaches.

This is why The Digital Privacy Act is so important. It’ll hold companies accountable and protect the consumer. Though it hasn’t been implemented yet, this is the year it’s supposed to happen. And it’ll affect how you do business.

The Digital Privacy Act

When the Digital Privacy Act is finally implemented, organizations will be required to report “breaches of security safeguards” that might cause “real risk of significant harm” to the Office of the Privacy Commissioner of Canada. The legislation defines significant harm as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft.”

They’ll also be required to notify all affected individuals. Finally, companies that have been hacked are obligated to maintain records of those breaches for a minimum of two years. Organizations that knowingly fail to conform to these reporting requirements could face fines of up to $100,000 per violation.

In other words, lots of money.

What Does this Mean?

One thing’s for certain: Canada’s getting serious about cybersecurity, which is a good thing, and not just for consumers either. Too many companies have been ignoring their digital duties security. The ramifications of doing this can be dramatic. Just look at Equifax. Public trust in the company is at an all-time low.

While the Digital Privacy Act isn’t being enforced now, it soon will be. This is an opportunity for organizations to empower themselves with effective security measures. To not only protect themselves, but to protect those who do business with them too.

Remember: you can never be too careful. Nowadays, cybersecurity should be an operational priority, which means all organizations, large and small, need to implement protocols and procedures to meet these new regulations.